Remote access and security system

ABSTRACT

A method and system for remotely controlling access to a value unit. The system includes a central control means which includes control data relating to the control of access to one or more value units by associated access controllers. The system includes remote communication means between the central control means and operator control units, and between those units and access controllers. The control data includes an identity structure for the access controller that defines its permissible behaviour, and access control data defining operator control over the access controller. The access controller remains inaccessible until its identity structure is loaded and implemented. The identity structure may be encrypted so that only the central control means and the access controller can decipher it, thus creating a virtual configuration link between the central control means and the access controller via the operator control unit. The operator control unit only has access to the access control data.

TECHNICAL FIELD

This invention relates to a remotely operable access and securitysystem.

BACKGROUND

There are many circumstances in which it may be desirable for an owner,operator or manager of items of value to have control over access tothat or those items wherever they may be and by whom.

There are many security systems available. In general such securitysystems may control who has access to the item of value, for exampleaccess to buildings or other sites to selected people, such asemployees; access to safes, vaults and other such security containers;access to vehicles; access to information and data on a personalcomputer or a database. These are just a few examples.

In some circumstances existing security systems allow for remoteoperation of access to a fixed site. In other systems, such aselectronically controlled alarms and locks on motor vehicles, the itemof value is moveable, but access to it is only controllable at a locallevel and only by the pre-selected operator.

However, many circumstances exist where security is required in relationto an item or items which do not have a fixed location, and/or for whichaccess is required by a range of different people, perhaps in differentcircumstances, and for which the owner/operator/manager will wish toretain control over who has access, where and when. To provide suchflexibility, the lock may need to have different characteristics atdifferent times or locations.

One system presently known which may be used to allow controlled accessto a moveable item's location is to provide a programmable key which cancommunicate with the lock via a local area communications system. Such asystem is described in United States patent specification No. U.S. Pat.No. 4,766,746. The key is programmed by an authorising person or systemvia a wide area communications network to enable it to open one or morelocks, each of which may be identified by a unique identificationnumber. A pin or access number may be required to verify that anauthorised person has the key. The key then communicates with the lock,instructing it to open.

The key may also be programmed with information to reconfigure thecharacteristics of the lock, for example any time periods during whichthe lock will not open. This function provides increased functionalflexibility to the lock and helps to avoid having to reprogram the lockat a central servicing location.

However, at present, security systems of this type require the operatorto specifically program the lock. This requires someone to travel to thelocation of the local area communications system of the lock to enablecommunication with the lock to reconfigure it. This reconfiguring may beperformed the next time someone wishes to enter the lock, but thisperson may not know how to reconfigure the lock. Alternatively, theperson may forget to reconfigure the lock or may not be trusted toreconfigure the lock before accessing the items of value. Therefore, thereconfiguration may not occur, resulting in a risk of a security breach.

Another disadvantage of this method is that control intelligencerelating to the lock is readable by the key and therefore may besusceptible to theft. This may compromise the security of the lock by,for example, allowing others to identify the times when the lock may beopened.

Furthermore, this type of system does not allow for simultaneous centralcontrol of access by a plurality of operators to a single value unit orsite, or of access by one or more operators to multiple value units.

Other known methods of providing remote security locking includeproviding a direct communication link between the lock and theauthorising person or system, as is described in U.S. Pat. No.5,815,557. The direct link has the advantage of ensuring that the lockcan be reconfigured at any time. One method involves the personrequiring to open the lock communicating their intention to theauthorising person or system and adequately identifying themselves. Theauthorising person or system then sends a signal to open the lock.Reconfiguration data may be sent directly to the lock via thecommunication link. This method has the disadvantage of requiring theauthorising person or system to be available when access is required tosend the command to open the lock.

Another known solution to the problem of providing remote securitylocking, again described in the U.S. patent specification No. 4,766,746,also involves having a direct communication link between the lock andthe authorising person or system to provide configuring information anda second communication link between a key and the authorising person orsystem. The key receives a communication enabling it to open one or morelocks and may require a PIN to ensure an authorised person is using thekey. This method has the disadvantage of requiring the lock to beconnected to a wide area communications network, increasing its cost andcomplexity and possibly limiting its portability.

Thus, it is an object of the present invention to provide a method andapparatus for enabling security for and/or access to items of valueremotely that overcomes or alleviates problems in such methods andapparatus at present or at least to provide the public with a usefulchoice.

Other objects of the present invention may become apparent from thefollowing description which is given by way of example only and withreference to the accompanying drawings.

SUMMARY OF THE INVENTION

According to one aspect of the present invention there is provided aremote access control system adapted to enable the remote control ofaccess to one or more value units by one or more operators, the systemincluding:

-   -   a central control means including control data including an        identity structure relating to the permissible behaviour of an        access controller and access control data defining operator        control over the access controller;    -   one or more access controller, each adapted to selectively        prevent or enable access to a value unit;    -   one or more operator control unit, including actuating means,        adapted to enable interaction of an operator with the control        system;    -   first communication means adapted to provide remote        communication between the central control means and one or more        operator control unit;    -   second communication means adapted to provide remote        communication between an operator control unit and one or more        access controller;    -   and wherein when communication of identity structure to an        access controller unit is required, a virtual configuration link        is created between the central control means and the access        controller for that value unit, via an operator control unit,        for the transfer of the identity structure from the central        control means to the access controller to initialise the access        controller and so allow the access control data to gain access        to the access controller.

Preferably, the identity structure may include an application templateand configuration data for the access controller.

Preferably, the access data may include operator control unitidentification data, operator identification data and access controlleridentification data.

Preferably, the identity data, and optionally all the control data, maybe encrypted, and at least the identity data may only be deciphered byselected access controllers and the central control means.

According to a further aspect of the invention there is provided amethod of remotely controlling access to a value unit through a controlsystem by an operator including:

-   -   providing, at a central control means, access control data        relating to the control of access to a value unit by an        associated access controller;    -   providing, at the central control means, an identity structure        relating to the permissible behaviour of the access controller;    -   operating an operator control unit via actuating means to        interact with the control system;    -   forming a virtual configuration link between the central control        means and the access controller, via the operator control unit,        for transfer of the identity structure from the central control        means to the access controller via first communication means        providing remote communication between the central control means        and the operator control unit and second communication means        providing remote communication between the operator control unit        and the access controller, the identity structure initialising        the access controller to allow the access control data to gain        access to the access controller and therefore enable access to        the value unit.

Other aspects of the present invention may become apparent from thefollowing description which is given by way of example only and withreference to the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1:

Shows a diagrammatic representation of the operation of the system ofthe present invention.

FIG. 2:

Shows an example of use of the system of the present invention incontrolling access to shipping containers

DETAILED DESCRIPTION OF THE INVENTION

In this specification reference is made to centralised management nodes(CMNs) or central control means, personal access nodes (PANs) oroperator control units and remote value nodes (RVNs) or accesscontrollers. The term CMN is used to describe a database, management andcommunication system that supplies RVN identity structure, template andconfiguration data and access and control information to one or morePAN.

The term PAN is used to describe a personal access device which anauthorised person can use to access one or more allocated RVN. Thus, aPAN will have some form of actuation means such as a portable keypaddevice, with communication means enabling it to communicate to the CMNand one or more RVN.

The term RVN is used to describe an electronic control device which isassociated with any form of valuable item which requires controllableaccess. Examples of valuable items (hereafter referred to as “valueunits”) would include shipping containers, retail security cabinets,vending machines, buildings, courier bags, and the like. These examplesinclude locking mechanisms which may be remotely operated. It will beappreciated that there are many other types of value unit which mayinclude locking mechanisms which could be controlled through the systemof the present invention, such as personnel security access. Inaddition, the invention may be equally applicable to the control ofaccess to different types of value unit, such as data and information,via security systems other than physical locks. This may include, forexample, internet access, smart card cash transfer, and access toelectronic databases of any type.

A PAN provides an intermediate communication link between the CMN andone or more RVN. Communication between the CMN and the or each PAN isvia, for example, direct serial link using local PC connections, one ortwo-way pager networks, a two-way cellphone network or other means ofwide area data communication.

Communication between a PAN and one or more RVN is via local areacommunication means, such as an infrared link, a local area RF link or adirect connection.

A RVN may include a controller unit and an associated locking mechanism.For security reasons a RVN may be located within its associated valueunit. For example, if the item is a shipping container or vendingmachine, then the RVN would be inside that container or machine, wouldpreferably be communicated to by the PAN by remote means, and wouldtherefore be inaccessible except via access to the value unit by anoperator of the PAN.

Any given RVN controller has a programming means suitable to store andimplement an identity structure. The nature of this identity structurewill depend on the nature of the value unit controlled by the RVN. Itcould include, as a minimum, an access combination. It may also include:time and location criteria, if the item is one which may only beaccessed at specific times or dates, or at specific locations (forexample controlled by a GPS unit); control criteria, such as how oftenthe unit may be accessed, how long-the unit is accessible after accessis provided; user/operator group access criteria; and encryption anddecryption criteria.

An RVN controller may have a plurality of identity structures so that itmay be adapted to operate in a number of different ways.

The identity structure is specific to each RVN application. Eachapplication has an identity structure including a template that can beloaded with configuration data to suit a particular application;different applications being appropriate for different value units andin different circumstances.

The system of the present invention enables the controlled access to oneor more RVN from the CMN by employing a virtual configuration link (VCL)between the CMN and the one or more RVN, via one or more PAN. The VCLallows the transfer of communication data between the CMN and RVNautomatically when the PAN interfaces with the RVN.

Operation of the system of the present invention is now described inbroad terms with reference to FIG. 1.

Information is communicated within the system within three communicationprotocol layers, the access layer, identity layer and VCL layer. Thesystem creates a secure virtual link as information communicated to thePAN from the CMN and from the PAN to the RVN remains inaccessible to thePAN access layer. The secure virtual link cannot be attacked in the PANas the access layer does not have access to the encryption.

The access layer communicates security access and control data, whichmay include user interface, PAN identification, user identification, RVNidentification and RVN access and control data. The access layerincludes control of the remote value node to ultimately allow or preventaccess to the value unit.

The identity layer controls and communicates information relating to theidentity structures of the RVN. The CMN constructs the RVN identitystructure which determines the behaviour of that RVN. As stated above,the RVN structure includes an application template and configurationdata, and also includes initialisation instructions. Without theidentity structure an RVN includes no information that would allow it tobe vulnerable to “attack” or interference. If, for example, the RVN isan electronic lock on a container, the lock is a “virtual” lock until itis given an identity.

A secure VCL is created by encryption of the information in the identitystructure layer. The information is only decipherable by the CMN and RVNand is transmitted as VCL data packets in the VCL by the CMN to the RVN.

The operation of the system of the present invention will now bedescribed in broad terms.

Each PAN has a unique identification number. A PAN is “activated” bycommunication of its correct identification number to or from the CMN.Any given user or operator of a PAN has an access or PIN number. The CMN-loads one or more user authorisations to the PAN in the form of theaccess or PIN number. The CMN then also loads to the PAN one or moreidentification numbers for one or more RVN which is to be accessed bythe PAN at some time. Hence, a single PAN may be authorised to enableaccess to multiple RVN to a schedule. The identification numbers andaccess or PIN number are communicated as part of the access layerprotocol. Communication between the CMN and PAN is accomplished viacommunication means #1 (see FIG. 1).

An application template for the or each RVN is then created by the CMNas part of the identity layer protocol. Configuration data is thenloaded based on the information specifying, for example, the PANidentification number, operator identification, RVN identification andoperator entry combinations. The combined information communicated bythe template and configuration data will vary depending on theapplication of the RVN.

The combined information is encrypted such that it can only bedeciphered by the RVN. This creates a secure VCL between the CMN and theremote RVN as the PAN cannot decipher the encrypted information. Theencrypted information is then downloaded to the PAN as a VCL data packet

Once all necessary data has been communicated from the CMN to the PAN,and a selected operator has correctly identified themselves to the PANusing their access or PIN number, the PAN communicates viacommunications means #2 (see FIG. 1), which may comprise a local areacommunications link to the or each RVN. The PAN will download the VCLdata packet to a correctly identified RVN. The controller of the RVNdeciphers this data, and makes it available to the identity layer in theRVN.

At the identity layer, the RVN reconstructs the application template andloads in the configuration data, then processes this data to initialisethe access layer. The configuration data in the application templatedefines a set of parameters which dictate the operation of the RVN. Itwill be appreciated that a template may remain programmed into a RVNwhile the configuration data may be updated through the VCL.Alternatively, a new template and configuration data may be programmedinto a RVN, through the VCL each time the RVN is accessed by the PAN.

It is an important feature of the present invention that the existenceof a VCL between the CMN and RVN avoids the necessity of an operator topurposefully reconfigure the RVN. When reconfiguration is required, therequired data defining the identity structure is simply communicated toone or more PAN; the new identity structure being programmedautomatically into the RVN the next time a PAN communicates with theRVN.

The PAN also communicates to the RVN via the access layer, data whichcould include operator access and control codes. Also at the accesslayer, the RVN validates the information and permits access to the valueunit.

It will be appreciated that each PAN may have one or more assignedoperators and can be programmed to access one or more RVN. Each RVN mayalso allow access by more than one PAN, for example to allow multipleauthorised people through a door to a building.

Access and control data is “known” to the PAN and may, for example,contain user identification/PIN numbers, the PAN identification numberand access combination details.

A PAN establishes the VCL between the CMN and a RVN by creating avirtual security tunnel. The CMN encrypts the identity structure andcreates VCL data packets. The PAN does not have access to the encryptedconfiguration information contained in the VCL data packets because itdoes not have the required deciphering codes. When the PAN communicateswith a remote RVN the VCL data packet information is downloaded to theRVN which then deciphers the information and updates the RVN templateand configuration on the identity layer. The RVN can then process theuser level access and control data, also communicated from the PAN.

The RVN may also store relevant information relating to its environmentand conditions and communicate this information back to the CMN via aVCL established by a PAN. The information may include, for example,recordings of the air temperature around or within the RVN at varioustimes, information relating to the time spent in any specific locationor any other useful information which provides the owner/operator with ahistory of the circumstances of the unit. This information may bedownloaded to the CMN via a PAN at the time of access.

An example of the system of the present invention in operation is nowpresented with specific reference to the control of access to a shippingcontainer. It will be appreciated that shipping containers are a goodexample of a value unit which does not have a fixed location and whichmay need to be accessed at different times, in different places by avariety of different operators. It will also be appreciated that thepresent invention has application in numerous alternative circumstancesas referred to previously.

A RVN controller may be located inside a shipping container forcontrolling the locking mechanism. There would be no physical connectionbetween the RVN and the outside of the container, except for acommunication means enabling communication between the controller and aPAN.

Reference is now made to FIG. 2. A remote shipping agent I requiringaccess to a container 2 at the port of destination would communicatetheir need to access the container to the local shipping agent orsecurity manager 3. Alternatively, this communication may be unnecessaryif the RVN in that container has been pre-programmed to enable access atspecific locations and times.

The local shipping agent or security manager authorises the remote agentto access a designated container by sending authorisation data to thePAN 4 via the CMN 5. This communication is shown as being via a locallylinked PC connection 6 and a wide area communications network 7.

An activated PAN transfers configuration, access and control informationto the relevant RVN and thus allows access to the container 2.

Thus, using a system of the present invention an owner/manager of valueunits which have no fixed location can provide security access to thator those items at any given time or place and only by authorisedusers/operators. The VCL provides a means for the CMN to communicatewith a RVN to update its identity structure, ensuring that the identitystructure is updated when required and avoiding the expense of aseparate communication system. The unit itself has no fixed externalkeypad or means of direct communication with the PAN. Furthermore,control intelligence relating to a particular RVN is held in the CMN andnot in the RVN itself. The identity structure need only be loaded to theRVN immediately before access is required and removed, if necessary,after access, so that there is no useful information in the RVN whichcould be vulnerable to attack. Additional security is provided byencryption of data to provide a secure VCL between the CMN and RVN.

Where in the foregoing description reference has been made to specificcomponents or integers of the invention having known equivalents thensuch equivalents are herein incorporated as if individually set forth.

Although this invention has been described by way of example and withreference to possible embodiments thereof it is to be understood thatmodifications or improvements may be made thereto without departing fromthe scope or spirit of the invention.

1-24. (canceled)
 25. A system for remotely enabling security to items ofvalue across a communication network, the system comprising: (a) aremote value node (RVN) for storing an identity structure andcontrolling access to a valuable unit; (b) a personal access node (PAN)for providing access to the RVN, the PAN communicating with the RVN viaan access layer and a virtual configuration link (VCL) layer, the accesslayer being for communicating security access and control data; and (c)a centralised management node (CMN) for storing a plurality of identitystructures, templates, configuration data and access/control data andcontrolling access to the RVN, the CMN communicating with the PAN viathe access layer and the VCL layer, wherein the RVN and PAN do notcontain information until an operator attempts access to the RVN, anidentity layer is between the access layer and VCL layer and the VCLlayer is created by encryption of data passing in the identity layersuch that the access layer in the PAN cannot access data communicated inthe VCL layer, and when a RVN is accessed a request for access passesfrom the PAN to the CMN via the access layer, the CMN generates andencrypts an application template and configuration data to be passed tothe RVN via the PAN through the VCL layer, the RVN deciphers theencrypted application template and configuration data to make thedecrypted application template and configuration data available to theaccess layer for processing to allow access.
 26. A system as recited inclaim 25, wherein the configuration data is a PAN identification number,an operator identification, a RVN identification and operator entrycombinations.
 27. A system as recited in claim 25, wherein the PANincludes a portable keypad device with a communication device forcommunicating with the CMN.
 28. A system as recited in claim 25, whereinthe value unit is selected from the group consisting of a shippingcontainer, a retail security cabinet, a vending machine, a building, acourier bag, a courier box, internet access, a smart card cash transfer,and an electronic database.
 29. A system as recited in claim 25, whereinthe identity structure is configuration data and an applicationtemplate.
 30. A system as recited in claim 29, wherein the identitystructure is selected from the group consisting of a minimum, an accesscombination, a time, a location criteria, a date, a location, controlcriteria, an access window, an operator group access criteria,encryption criteria, decryption criteria and combination thereof.
 31. Amethod for remotely enabling security to items of value across acommunication network having a remote value node (RVN) for storing anidentity structure and controlling access to a valuable unit, a personalaccess node (PAN) for providing access to the RVN, the PAN communicatingwith the RVN via an access layer and a virtual configuration link (VCL)layer, the access layer being for communicating security access andcontrol data and a centralised management node (CMN) for storing aplurality of identity structures, templates, configuration data andaccess/control data and controlling access to the RVN, the CMNcommunicating with the PAN via the access layer and the VCL layer,wherein an identity layer is between the access layer and VCL layer andthe VCL layer is created by encryption of data passing in the identitylayer such that the access layer in the PAN cannot access datacommunicated in the VCL layer and therefore the identity layer is notavailable to the PAN, the method comprising the steps of: a) activatingthe PAN; b) creating and encrypting an application template at the CMNin response to activation of the PAN; c) passing the encryptedapplication template to the PAN and verifying identification of a user;d) upon identification of the user, passing the encrypted applicationtemplate to the RVN; e) deciphering the encrypted application templateby the RVN; f) reconstructing the application template; and g)processing the application template to allow access.
 32. A remote accesscontrol system adapted to enable access to at least one value unit by atleast one operator, the remote access control system comprising: anaccess controller operable to selectively prevent and enable access to avalue unit; a central controller operable to generate control dataincluding an identity structure relating to permissible behavior of theaccess controller and access operator data relating to operator controlover the access controller; an operator control unit operable to enablecommunication between an operator and the central controller and theaccess controller, and receive and store access control data from thecentral controller; and a transmitter system to provide communicationbetween the central controller and the operator control unit, and theoperator unit and the access controller, wherein the access controllerprevents or enables access to the value unit based on the access controldata and the identity structure, and when updating of an identitystructure for the access controller is required, a virtual configurationlink is created between the central controller and the access controllerfor the value unit, via the operator control unit, for the transfer ofthe identity structure from the central controller to the accesscontroller, wherein communication and update of the identity structureoccurs without operator intervention so that the operator cannotcommunicate access control data from the operator control unit to theaccess controller without updating the identity structure.
 33. A remoteaccess control system as recited in claim 32, wherein data transmittedover the virtual configuration link is encrypted.
 34. A remote accesscontrol system as recited in claim 32, wherein the access controller andthe operator control unit are operable to communicate data from theaccess controller to the central controller through the virtualconfiguration link.
 35. A remote access control system as recited inclaim 32, wherein the operator control unit serves as part of thevirtual configuration link between the central controller and the accesscontroller.